Cryptographic cipher with finite subfield lookup tables for use in masked operations
Abstract
Various features pertain to cryptographic ciphers such as Advanced Encryption Standard (AES) block ciphers. In some examples described herein, a modified masked AES SubBytes procedure uses a static lookup table that is its own inverse in GF(2 2 ). The static lookup table facilitates computation of the multiplicative inverse during nonlinear substitution operations in GF(2 2 ) In an AES encryption example, the AES device combines plaintext with a round key to obtain combined data, then routes the combined data through an AES SubBytes substitution stage that employs the static lookup table and a dynamic table to perform a masked multiplicative inverse in GF(2 2 ) to obtain substituted data. The substituted data is then routed through additional cryptographic AES stages to generate ciphertext. The additional stages may include further SubBytes stages that also exploit the static and dynamic tables. Other examples employ either a static lookup table or a dynamic lookup table but not both.
Claims
exact text as granted — not AI-modifiedWhat is claimed is:
1 . A method operational in a cryptographic device, comprising:
combining, as part of a cryptographic operation, input data with a round key to obtain combined data; routing at least a portion of the combined data through a substitution stage employing at least one of
a static lookup table that is its own inverse in a subfield of a finite field to obtain substituted data,
a dynamic lookup table in the subfield of the finite field where all substitution operations are implemented using permutations to obtain the substituted data, or
an alternative static lookup table in the subfield of the finite field that statically stores all permutations needed to obtain the substituted data; and
routing the substituted data through one or more additional cryptographic stages to generate an output data.
2 . The method of claim 1 , wherein the cryptographic operation is an encryption operation, the input data is plaintext, and the output data is ciphertext.
3 . The method of claim 1 , wherein the cryptographic operation is a decryption operation, the input data is ciphertext, and the output data is plaintext.
4 . The method of claim 1 , wherein the combined data includes one or more of a portion of plaintext, a portion of masked plaintext, a value that is a function of plaintext, a value that is a function of masked plaintext, a portion of ciphertext, a portion of masked ciphertext, a value that is a function of ciphertext and a value that is a function of masked ciphertext.
5 . The method of claim 1 , wherein combining the input data with a round key includes routing the input data through an AddRoundKey stage of an AES cipher wherein each byte of an initial state of the input data is combined with a block of a round key.
6 . The method of claim 5 , wherein the cryptographic operation is an encryption operation and the substitution stage is a masked SubBytes stage operative to perform a non-linear substitution of bytes using the static lookup table that is its own inverse for encryption.
7 . The method of claim 5 , wherein the cryptographic operation is a decryption operation and the substitution stage is a masked InvSubBytes stage operative to perform a non-linear substitution of bytes using the static lookup table for decryption.
8 . The method of claim 1 wherein the finite field is a Galois Field (GF) and the subfield is GF(2 2 ).
9 . The method of claim 8 , wherein the substitution stage is operative to perform masked multiplicative inverse operations in GF(2 2 ).
10 . The method of claim 9 , wherein the masked multiplicative inverse operations in GF(2 2 ) exploit tower fields (GF(2 2 ) 2 ) 2 decomposed from GF(2 8 ).
11 . The method of claim 8 , wherein the static lookup table that is its own inverse is one or more of [·]={00, 01, 10, 11} in GF(2 2 ) and its permutations.
12 . The method of claim 8 , further including exploiting a dynamic lookup table of the substitution stage along with the static table that is its own inverse where the dynamic lookup table receives an input mask and an output mask and generates a masked table that corresponds to the static table that is its own inverse masked by the output mask with an index corrected by the input mask.
13 . The method of claim 12 , wherein the dynamic lookup table of the substitution stage is employed to determine low and high parts of a masked inverse in GF(2 4 ).
14 . A cryptographic device, comprising:
a processing circuit configured to
combine, as part of a cryptographic operation, input data with a round key to obtain combined data;
route at least a portion of the combined data through a substitution stage employing at least one of
a static lookup table that is its own inverse in a subfield of a finite field to obtain substituted data,
a dynamic lookup table in the subfield of the finite field where all substitution operations are implemented using permutations to obtain the substituted data, or
an alternative static lookup table in the subfield of the finite field that statically stores all permutations needed to obtain the substituted data; and
route the substituted data through one or more additional cryptographic stages to generate an output data; and
a storage device configured to store the output data.
15 . The device of claim 14 , wherein the cryptographic operation is an encryption operation, the input data is plaintext, and the output data is ciphertext.
16 . The device of claim 14 , wherein the cryptographic operation is a decryption operation, the input data is ciphertext, and the output data is plaintext.
17 . The device of claim 14 , wherein the combined data includes one or more of a portion of plaintext, a portion of masked plaintext, a value that is a function of plaintext, a value that is a function of masked plaintext, a portion of ciphertext, a portion of masked ciphertext, a value that is a function of ciphertext and a value that is a function of masked ciphertext.
18 . The device of claim 14 wherein the finite field is a Galois Field (GF) and the subfield is GF(2 2 ).
19 . The device of claim 18 , wherein the substitution stage is operative to perform masked multiplicative inverse operations in GF(2 2 ).
20 . A cryptographic device, comprising:
means for combining, as part of a cryptographic operation, input data with a round key to obtain combined data; means for routing at least a portion of the combined data through a substitution stage employing at least one of a static lookup table that is its own inverse in a subfield of a finite field to obtain substituted data, a dynamic lookup table in the subfield of the finite field where all substitution operations are implemented using permutations to obtain the substituted data, or an alternative static lookup table in the subfield of the finite field that statically stores all permutations needed to obtain the substituted data; and means for routing the substituted data through one or more additional cryptographic stages to generate an output data.
21 . The device of claim 20 , wherein the cryptographic operation is an encryption operation, the input data is plaintext, and the output data is ciphertext.
22 . The device of claim 20 , wherein the cryptographic operation is a decryption operation, the input data is ciphertext, and the output data is plaintext.
23 . The device of claim 20 , wherein the combined data includes one or more of a portion of plaintext, a portion of masked plaintext, a value that is a function of plaintext, a value that is a function of masked plaintext, a portion of ciphertext, a portion of masked ciphertext, a value that is a function of ciphertext and a value that is a function of masked ciphertext.
24 . The device of claim 20 wherein the finite field is a Galois Field (GF) and the subfield is GF(2 2 ).
25 . The device of claim 24 , wherein the substitution stage is operative to perform masked multiplicative inverse operations in GF(2 2 ).
26 . A machine-readable storage medium for use with cryptography, the machine-readable storage medium having one or more instructions which when executed by at least one processing circuit causes the at least one processing circuit to:
combine, as part of a cryptographic operation, input data with a round key to obtain combined data; route at least a portion of the combined data through a substitution stage employing at least one of
a static lookup table that is its own inverse in a subfield of a finite field to obtain substituted data,
a dynamic lookup table in the subfield of the finite field where all substitution operations are implemented using permutations to obtain the substituted data, or
an alternative static lookup table in the subfield of the finite field that statically stores all permutations needed to obtain the substituted data; and
route the substituted data through one or more additional cryptographic stages to generate an output data.
27 . The storage medium of claim 26 , wherein the cryptographic operation is an encryption operation, the input data is plaintext, and the output data is ciphertext.
28 . The storage medium of claim 26 , wherein the cryptographic operation is a decryption operation, the input data is ciphertext, and the output data is plaintext.
29 . The storage medium of claim 26 , wherein the combined data includes one or more of a portion of plaintext, a portion of masked plaintext, a value that is a function of plaintext, a value that is a function of masked plaintext, a portion of ciphertext, a portion of masked ciphertext, a value that is a function of ciphertext and a value that is a function of masked ciphertext.
30 . The storage medium of claim 26 wherein the finite field is a Galois Field (GF) and the subfield is GF(2 2 ).Join the waitlist — get patent alerts
Track US2016269175A1 — get alerts on status changes and closely related new filings.
We store only your email — no account needed. See our privacy policy.